Java still has a crucial role to play—despite security risks

Many Ars readers block Java plugins, but say Java apps are important in business.

Java has its security flaws, but it isn't going away any time soon—after all, many important applications run on the technology, especially in business settings. Still, numerous users are worried enough about vulnerabilities that they restrict Java's ability to run on their machines. That's what we heard from Ars readers when we asked Friday whether they let Java run on their computers, and why.

Some users have disabled or uninstalled Java entirely. But the most common solution for those worried about security risks is to leave the Java Runtime Environment in place on the desktop while disabling the browser plugins that allow Java applets to run on websites. Those plugins are often vulnerable to attacks involving remote code execution.

"Java as a desktop framework is not a big security risk," writes commenter Stilgar. "It is the browser plugin that presents a problem. Avoiding desktop Java on purpose does not make any sense. On the other hand every browser plugin you install on any browser increases the attack surface."

Numerous critical Java flaws have been identified recently. In one case, it took Oracle months to fix a known flaw that was being exploited by attackers. Last week, Apple removed a Java plugin from all OS X Web browsers because of security concerns, but ultimately the decision of whether to run Java and its browser plugins is up to users.

Some users run Java plugins on a case-by-case basis, either by using a "click-to-play" browser feature, or by disabling Java in a primary browser while leaving it enabled in a secondary one. Others just live without the plugins entirely. "The browser plugin is quite useless," writes harold31415. "I disabled it years ago. From time to time I encounter a small physics simulator (or something like that) that for some mysterious reason is a Java applet, but that's just too bad then."

We heard from several commenters who went beyond disabling Java plugins and uninstalled Java entirely.

"At home, I uninstalled it when the last round of problems cropped up—that day I went home and just wiped it from all three home computers, and decided that if the wife and daughter complained, then I'd know we needed it. No complaints yet," says commenter T.N.Toluene.

Java in the enterprise

But Java has lots of real-world use cases, enough that uninstalling or disabling the platform isn't realistic for many users. Numerous people report keeping Java enabled in browsers because of banking, government, work, and school-related websites. "For some odd reason, enterprise environments like Java applets to transfer files," writes commenter tycheung.

Others use desktop applications—like LibreOffice, or Crashplan—that rely on the Java Runtime Environment. The Java-reliant Minecraft is a favorite among many Ars readers. In general, though, it's the enterprise settings that have the strictest Java requirements. As such, some readers report having Java disabled at home but not at work.

So what kinds of enterprise infrastructure require Java, and what are its benefits (and downsides)? Here are some of the answers we received:

• "Frankly, I'm surprised that more desktop software isn't written in Java (even with these security issues)," writes Aaron44126. "I think it's way easier to build serious apps that work consistently across different platforms in Java than it is in most other languages that people use to write desktop apps. I use Eclipse to write software on a daily basis (even though 99 percent of the time I am not working on Java code). Eclipse is written in Java, so Java has a permanent place on my machine. New developers likely run across Java as many schools teach it. It's a great first language (though I think starting a step further down at C/C++ is better)."

• "I am required to use Java every day at work," writes Jackattak. "I work in a heavily virtualized [VMware] ESX environment and all things vSphere and vCenter are all things Java." Cisco's business software is also heavily dependent on Java, Jackattak noted.

• "Some of our server applications are written in Java, and being able to run these applications cross-platform (Windows development workstation, Linux production server) is a big strength," writes Geniekid. "We also use Java because it is a fairly mature language with a huge community. This has the nice side effect of providing us with great tools for automated testing (JUnit), continuous integration (Ant), and code profiling (JVisualVM). Not saying other languages don't have equivalent features, but in general we tend to lean towards Java unless we're writing very specialized code."

• "Many mission-critical business applications still require Java Applets or Java Web Start, eg VPN and remote access clients or components for card-based electronic signatures," writes ujay68. "Here, many vendors still deploy Java solutions that not only suffer from said security issues, but are also—sadly, after 15+ years of Java in the browser, can you believe it—still hard-to-support and easily broken. (How many hotline calls do you get from users that cannot start their applets?) Many end-user apps like maps have all but vanished already."

• "I work in an enterprise environment where a lot of end users and admin tools were built in specific instances of Java," writes cdclndc. "Once in place these things are very hard to change since they 'just work'. Add to that the fact that the original programmers have long since moved on and the code possibly being not documented well, and it just becomes the 600lb gorilla in the room. If management, who tends to think of IT as a profit drain already, sees that the system works they are not going to budget the time and cost it would take completely recode entire swaths of infrastructure. In their minds the risks don't outweigh the benefits."

Several readers argued that the Java security risks have been overblown, and that the platform is no worse than Adobe Flash and Adobe Reader. But even among those who are skeptical of Java's security, there are some who still rely on it heavily.

"The risk of using Java seems huge to me," writes stabgotham. "Unfortunately, there are so many applications that require [Java] that I truly use it on a regular basis. For example, Air Video Server requires Java and that is what I use to stream movies from my PC to my iPhone and iPad. I try to mitigate it to a certain extent by disabling Java in my browsers and by completely removing it from my MacBook, but it really just appears to be a necessary evil for the time being. It's not just Java that we have to worry about though. Even Flash and Acrobat have had their fair share of issues."

Stabgotham, like several others, worried about Java's impact on users who aren't so tech-savvy, because they may not understand the importance of updating Java or realize that the browser plugins can be disabled. "Since the two of them are installed at the same time, you get to enjoy the risks of both when you install Java, even if you only intend to use desktop apps," writes Tridus. "Normal users are not going to know to disable the browser plugin. Oracle could do everyone a favor if they split the two up or made the plugin a not-default install option."

Java has many fans among developers

Many of the most compelling arguments in favor of Java came, not surprisingly, from developers. Commenter Solomonoff's Secret writes, "I use Java heavily at work because it has the killer combination of: being good enough as a programming language; being cross-platform; having a great set of libraries; running fast. No other language sufficiently meets these criteria, which is why Java is the most popular language."

"Uninstalling Java at home is not an option," writes atfp. "I use it for Android development, Serviio (DLNA server), and Web development. None of these are things I want to stop using or doing."

Some developers talked up the possibility of running Java applications without requiring a full Java desktop installation. Plusjeff, a developer, points out that Java 7 update 10, currently in a developer preview, contains this functionality. "This is all irrelevant as Java 7 update 10 will have support for packaging all apps as native applications (with a bundled runtime embedded in the app) and folks won't need Java pre-installed to run," plusjeff writes. "Oracle was pushing this functionality in the javafxpackager hard at JavaOne earlier this month."

Distributing a Java Virtual Machine along with applications could help both in preventing exploits and preventing Java updates from breaking apps, writes normen, a developer of jMonkeyEngine, a Java-based 3D game engine. Normen writes it "might sound like I want Java on all desktops but I would be fine with distributing a JVM along with my application, similar to the way the JavaFX desktop starter by Oracle already does it. This would avoid the problem of having a global install of Java that can be used for exploits. Basically like any 'normal' library one would use in an application. This also avoids issues with updates of Java breaking one's own application."

A programmer named mog0, who reports having taught Java classes, simply calls it a "piece of crap [that] can't die quick enough." But as we've seen, that's far from the prevailing sentiment. Java has its problems, but it's here to stay—and for plenty of legitimate reasons.

Promoted Comments

To expand on what plusjeff said, that is possible now, all of my companies java apps come bundled with a jre that sits in the installation directory and a tiny .exe that basically calls, jre\bin\java.exe my.jar. This avoids having java in the path and all the security problems associated with that.